Risk Management in Istat: from the project to the process

Transcription

1 WORKSHOP ON RISK MANAGEMENT SYSTEMS AND PRACTICES Risk Management in Istat: from the project to the process Genève, April 2016 Page 1

2 Management System Network Values and ethics Organizational culture Effectiveness and efficiency Leadership and relationship Quality and integrity of data Methods and procedures standardization supporting changes Staff and Organization Assessment Treatment & Monitoring Ethics, anticorruption& disclosure Audit & ICT Governance Goals & Strategies No overlapping!! Quality of services and products Supporting decision-making processes Enhancement of transparency Control Systems Checks Organizational culture Quality Analysis & Process Management Fabrizio Rotundi Page Page 2 2

3 Risk Management approach in ISTAT OBJECTIVES PROCESSES RISKS CONTROLS SETTING UP OBJECTIVES PROCESS MAPPING RISK ANALYSIS CONTROLS IN PROCESSES SELECTION OF PRIORITIES ECONOMIC VALUE RISK ASSESSMENT CONTROLS/ OBJECTIVES VULNERABILITIES OBJECTIVES/ PROCESSES PROCESS OBJECTIVES RISK TREATMENT CONTROL ASSESSMENT PROCESSES AND PRIORITY OBJECTIVES LEVEL OF RISKS IN PROCESSES INTERNAL CONTROL RELIABILITY RESPONSE ACTIONS MONITORING BASE Approach ADVANCED Approach PRO Approach Page 3

4 Risk Management System in Istat: from the project to the process Project launched Analysis and comparison of practices and models Identification of appropriate approach Establishing ISTAT s RM model Approach trial Survey on Risk perception Pilot and rollout of risk management approach RM training and dissemination Experimental phase Creation of risk registers Risk assessment RM training and dissemination Experimental phase Revision of risk registers Identification of risk treatments RM training and dissemination Full implementation Integration w/ operational planning Risk treatment monitoring Information System start-up Developments Froma bottom-up to top-down vision Adaptingmodel to Risk of Corruption Cooperationin International projects Dissemination The project developed following some parallel but related paths: 1. Organization: Both the President and the Directorate General endorsed and sponsored the project. A business unit was involved in implementing and coordinating risk management system 2. Training and dissemination program in order to improve management culture and promote a common language and understanding throughout the organization 3. All Risk Management process has been implemented 4. Information System has been developed to support the process 5. Change of perspective: Bottom-up/Top-down mixed approach Page 4

5 Risk Management System architecture in Istat According to the ISO 31000:2009, Istat s Risk Management system refers to the architecture used to manage risks that includes Principles, Framework, and Process. Page 5

6 Risk Definitions and Standards used in Istat s RM system Among the others(more than 60!), Istat selected: ISO 31000:2009: Risk Management Principles and Guidelines ISO/IEC 31010:2009: Risk assessment techniques ISO TR 31004:2013: Guidance for the implementation of ISO 31000:2009 COSO Model 2004/2013, a multidimensional standard that develops along three sides of the cube: 1) Objectives; 2) Organization; 3) Process. The selected Model defines: Enterprise Risk Management... a process effected by an entity s board of directors and management, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Risk: the effect of uncertainty on objectives, where an effect is a deviation from what is expected (positive and/or negative), often expressed in terms of a combination of the consequences of an event and the associated likelihood of occurrence. Page 6

7 Risk Profile and Risk Complexity Risk Profile is the set of risks that could affect all or part of an organization. It results from a comprehensive process that: concerns risk information from several sources; reflects recommendations from managers; envisages a risk questionnaire, revised guidelines, clearer definitions of risk sources and communication strategy. Risk Profile takes into account: Risk Appetite, which could be expressed either qualitatively or quantitatively, maybe in terms of ranges, and explored going through the impacts of past events and the reactions of key stakeholders(customers, employees, regulators,..). Risk Attitude (Existing Risk Profile). If an organization is particularly effective in managing certain types of risks, it may be willing to take on more risk in that category, conversely,itmaynothaveanyappetite inthatarea. Risk Acceptance, which refers to the maximum potential impact of a risk event that an organization could withstand. Often, appetite will be well below acceptance. Risk Perception, which describes how people perceive risks according to their values and interests Risk Tolerance, which is the level of variation that the entity is willing to accept around specific objectives. Risk Retention considers stakeholders conservative return expectations and a very low appetite for risk-taking. Page 7

8 Step 1: Survey on Risk perception Istat launched a survey on risk perception involving Top and Executive Managers, carried out trough a questionnaire: composed of about 70 questions and divided into four sections: 1. Internal control environment and organizational culture; 2. Objectives of the organization and Risk Management; 3. Identification and classification of risk factors; 4. "Cataloging" risks investigating four dimensions: I. therisk perception compared to the activities of each manager; II. the risk perception in the Institute as a whole; III. the maturity of the control environment in the structure leaded by each manager; IV. the maturity of the control environment in the Institute as a whole Page 8

9 Step 2: Risk Identification Organizational Risks have been identifiedusinga Framework representing: activities, descriptions, impactsand proposals of treatment To describe risks some criteria have been taken into account: o Risksmustbe linked to the objectives o Pay attention to the risks with generic impact on the objectives, but not relevant for the results o In identifying the risks, do not confuse them with the impacts o Avoid defining risks with assertions that are only the opposite of the objectives o The definition of a risk should understand the cause and consequences Page 9

10 Istat s Risk Register Examples of risk register pertaining to Organization": Category Risk Effect Treatment Compliance Resources Organization Personnel Technology Failure to observe the measures of personal data protection Access by unauthorized personnel (internal and external) to the data processing center and the network of the Institute Process steps too dependent on the skills owned by only one person Difficulty of turnover related to specialized expertise for monitoring the quality of collection, processing and data analysis Software tools not sufficiently tested for lack of technical support Inadequate levels of security in data access Possible alteration or tampering of computer equipment by unauthorized personnel Impossibility of implementing some steps of data production processes Delays and problems in various stages of the production process Reputational collapse; Low quality of statistical data Examples of risk register pertaining to"statistical Production": Training; Plan of monitoring compliance with the provisions for the protection of personal data processing Introduction of a registration process of physical access to the operating rooms.; Dissemination of safety instructions and procedures that must be followed in an emergency within the operating rooms; Monitoring and updating access rights. Development of a procedure for some data production processes to enlarge widespread competencies Periodic execution of procedures for staff mobility Securing computer systems. Measures aimed at ensuring the reliability and continuity of services provided by software Risk Delay in updating repositories to make balancing data Delay in receiving internal / external sources Lack of timeliness in the preparation of data files by the competent departments Lack of formalized procedures (supporting documentation, methodological notes, data quality control) Delay in receiving data concerning financial accounts and investments with regard to both sector and sub-sectors of Public Administrations Reduction of the amount of data collected at the local level Treatment Mapping and re-engineering the collecting data process for the estimation of a table chart-supply use Risk Analysis aimed at removing obstacles to the data collecting process through internal and interinstitutional agreements Mapping and re-engineering the production process of the national accounts relating to the production and value-added services non-market at current prices Improving communication and developing information-sharing initiatives Reviewing and monitoring agreements in place Execution and tender's award to provide tablet to municipal detectors of consumer prices Delay in the computerization of procedures for the acquisition and processing of data Activating the control system and correcting data through models used by other NSIs Transmission of questionnaires poorly filled out because of lack of competence Discontinuities in the collection mode and in the data stream Monitoring procedures of collection data by the local Authorities Reviewing Page 10 organizational process to manage replacements of those involved in data collection Difficulties in managing archives and data delivery aligned with new tax regulations Continuous staff training and making up working groups including statistics and informatics

11 Main priorities Areas Some areas were identified as particularly exposed to risks: 1. Management and administrative procedures: obsolescence, non-compliance, waste of resources, inefficiencies in sharing and disseminating information; 2. Recognition and quantification of project costs in order to properly deploy the available resources; 3. Integration among the management systems to support decision making and sector plans; 4. Tendering procedures: requirements, preparation of specifications (technical and legal), tender s award; 5. Technical management of contracts and their qualitative and quantitative supply monitoring Page 11

12 Results Risks and organisational criticalities: more than 96% of the total(100% in the Prioritization Areas) About 78% are criticalities, i.e. inefficiencies in management processes solved by organisational improvement (over80%inthep.a.) Prioritization All Areas Risks Areas N. % N. %. TOTAL ,0% ,0% Nature Risks 65 18,1% 33 19,4% Criticalities ,7% ,6% Others 15 4,2% 0 0,0% Type Strategic 22 6,1% 6 3,5% Compliance 6 1,7% 2 1,2% Operatives ,4% ,2% Reporting 13 3,6% 6 3,5% Exogenous 8 2,2% 1 0,6% About 4% are problems different from organisational risks (i.e. statistics, ICT, exogenous factors, human resource policies) Page 12

13 Step 3: Risk Assessment - C&RSA The risks were assessed by the same personnel who contributed to identify them, using the Control& Risk Self Assessment (C&RSA) method to measure the risk s likelihood and impact on the organization. 2 factors were considered to assess the risks 1. Impact: 2 variables(each weighted at 50% of the impact) were considered among: a) Organization (i.e. delay in producing output, extra workload); b) Reputation (internal and external), c) Economics(higher costs) 2. Likelihood (50% overall rating): number of occurrences in a significant sample of events, e.g. occurred in the last 12 months The multiplication of the factors determined the overall value of the risk Lowgravity(greenarea):about24%ofthecriticalevents Highest priority(red area): about 18% of critical events; Careful monitoring (yellow area): about 58% of the critical events, with different gradation Page 13

14 Step 4. Risks Treatment 466 organisational response actions(231 in Priorities Areas P.A. ) Treatment All Areas Prioritization Areas TOTAL Risks and Criticalities V.A. %. V.A. %. TOTAL ,0% ,0% Types Preventive 36 8,0% 24 10,4% Subsequents 6 1,3% 3 1,3% Improvement ,0% ,9% To deepen 83 18,4% 42 18,2% Others 64 14,2% 19 8,2% Responsabilities Internal ,8% ,7% External 44 9,8% 22 9,5% Cross-cutting ,2% 89 38,5% Not attributable 64 14,2% 19 8,2% 58% of the proposals refers to organisational or production improvement (about 62% in thep.a.); Nearly 38% of the actions are internal (about 44% in the p.a.); Over 38% of the actions requires the collaboration of different structures (about 39%intheP.A.) Page 14

15 From the Bottom-up to the Top-Down approach From 2015 on, the previous bottom-up approach is being integrated with a top-down one in order to enhance quality and significance of the information contained in the registers. Operational risks are identified by accountable managers and then gathered in strategic categories(corporate risks), in order to be assessed, treated and monitored. Among the others, Corporate risk selection takes into account the following criteria: Ability to monitor a risk response action by means of specific indicators; Organizational sustainability of the risk treatment proposed; Cross-cutting quality of the risk response actions proposed; Belonging of risks to one of the priority intervention areas. Corporate risks are specifically monitored by appropriate output and performance indicators. Page 15

16 Top-Down approach: «Corporate» risks Critical Events Corporate Risks 65 18,1% 34 16,3% 17 15,3% 7 35,0% Criticalities ,7% ,7% 89 80,2% 13 65,0% Others 15 4,2% 0,0% 5 4,5% TOTAL In2015,thecriticalevents(RisksandCriticalities)intheCatalogwere111,comparedto209attheendof 2014 and 359 of the experimental phase; among these, about 18% fall under the category"corporate". The risk treatments have significantly been reduced; in fact, in early 2015, the response actions in the Catalogue amounted to 128, compared to 254 at the end of 2014 and to 450 of the experimental phase. About 19% correspond to those proposed for mitigating Corporate risks, monitored by appropriate output and performance indicators. Treatments - Responsability Internal ,8% ,4% 62 48,4% 12 48,0% External 44 9,8% 21 8,3% 14 10,9% 0 0,0% Cross-cutting ,2% ,3% 52 40,6% 13 52,0% Other 64 14,2% 0,0% 0,0% TOTALE Corporate Page 16

17 Top down approach: Roles and accountabilities 1) All staff are responsible for an effective management of risks including identification of any potential risks; 2) Risk management is driven by the organizational units; 3) AnOfficeisdedicatedtothecoordinationofthe management process and risk analysis, adopting an unbiased perspective against any other structures and supporting the highest level of decision making; 4) The Risk Manager is responsible for: collaborating with Top Management both in identifying high risk areas related to strategic and business processes and in planning treatments to mitigate corporate risks; 5) The Advisory Board, composed by the top managers (operating in the most risky areas), defines the Risk Management policy; 6) Chief Statisticians and Governing body define the strategies also on the information coming from the RM System; 7) The organizational model envisages an Internal Auditing office for reporting to the Governance on the adequacy of RM process and the compliance of mitigating actions. Page 17

18 Where we are going to Improving the Risk Management System: Connecting Risk Management System to GAMSO Designing a set of Key Risk Indicators tailored for GSBPM standard AdoptingtheModelforFraudrisks Improving ERM supporting software Fostering link with Performance Evaluation Improving Quality through Risk Management Moving to a centralized organizational Model Implementing three levels of Controls: first control line: Management (risk owner), responsible for verifying and mitigating risks, monitors controls on the ongoing activities second control line: Risk Management Office, whose task is to facilitate, monitors and supervises the ERM process third control line: Risk-Based Internal Auditing, independent, provides reasonable assurance on the ERM effectiveness as well as the activities of thefirstandsecondlineofcontrol Deeper integration(internal controls& Management information system) Page 18

19 Reporting and Communication: the «RiskInIstat» tool The information system RiskInIstat has been implemented to manage risks via web with the main objective to let Management edit and view the necessary information, in an intuitive and immediate way. Login It gives the possibility to update the catalogs, showing how much the objectives has been realizing at different stages of the ERM process, provided that RELIABLE information is uploaded!!! Page 19

20 Thank you for your attention!!! Fabrizio ROTUNDI Page 20